| Summary |
|---|
| Secure multi-party computation has always played an important role in classical cryptography. Quantum homomorphic encryption (QHE) can perform calculations on encrypted data without decrypting it. Currently, most protocols use semi-honest third parties (TPs) to protect participants’ secrets. We use quantum homomorphic encryption scheme instead of TP to protect the privacy of all parties. Based on quantum homomorphic encryption, a secure multi-party quantum sum scheme is proposed, in which N participants can entrust a server with powerful quantum computing capabilities to assist in calculations. By delegating the computation and key update process to servers and semi-honest key centers, participants encrypt their private message data using the Pauli operator to obtain the sum. In addition, the server can design and optimize the summation line by itself, and get the correct result even if the secret information is negative. Correctness analysis showed that participants were able to obtain the calculation results correctly. Security analysis proves that the scheme can resist both external attacks and attacks by participants themselves, and can resist collusion attacks by up to N-2 participants. Theoretically, this protocol can be generalized to other secure multi-party computation problems. |
QOTP
The quantum homomorphic encryption scheme includes four algorithms, and the implementation process of each algorithm is as follows.
- Key generation algorithm. The client uses the unary representation of the security parameter as the input of the algorithm to obtain a set of keys, namely the classical public encryption key pk, the classical secret decryption key sk and the quantum evaluation key ρ evk ρ_evkrevk。
- Encryption Algorithm. The client encrypts the plain text information M according to the value of the encryption key pk, and sends the encrypted information C to the server. Encryption is the result of combining multiple X and Z gates.
- Homomorphic evaluation algorithm. The server executes the unary operator U on the received encrypted information C and sends the evaluation information E to the client. This process will consume the quantum evaluation key.
- Decryption algorithm. Since the server executes the unitary operator U, the client updates the decryption key sk to decrypt the received evaluation information e, and the decrypted information of the client is essentially the unitary operator U acting on the plaintext information M.
The encryption formula for OTP is as follows
A variant based on this encryption formula is as follows:
When the server performs the evaluation of T or Ty gates, an unexpected s error occurs
If only X and Z are performed on the evaluation results, it cannot be fully obtained T|φ>, s error may occur. In order to eliminate the s error, Gong et al. based on the idea of u-rotation Bell measurement, designed the quantum circuit as shown in the figure to complete the homomorphic evaluation process of the t-gate.
According to the value of the encryption key a, the client performs a rotated Bell measurement of S a and obtains the values of r and t. According to the key update algorithm, the client updates the decryption key to a ⊕ ra\oplus ra⊕r和 a ⊕ r ⊕ t a\oplus r \oplus t a⊕r⊕t , used in the decryption algorithm to complete the evaluation of the t gate.
Quantum full adder circuit
In this section we describe how to build a quantum full adder circuit based on classical binary addition. Suppose there are two unsigned binary numbers, A=(a0,a1,…,a n-1 ) and B=(b0,b1,…,b n-1 ). The sum of these two numbers is C = (c0, c1,…,cn), where q is the carry qubit.
Binary addition includes XOR and AND operations. CNOT and Toffoli gates in quantum circuits perform both operations. A two-participant full adder circuit consisting of CNOT gates and Toffoli gates, a two-bit quantum full adder circuit is shown in the figure below.
The Toffoli gate can be decomposed into 2 H gates, 1 S gate, 6 CNOT gates, 3 t gates and 4 ty gates. The detailed circuit is shown in the figure below.
Detailed decomposition circuit of Toffoli gate is the basic element to realize 2-bit quantum full adder. It transforms the implementation of three-qubit gates into a combination of single-qubit and two-qubit gates, which is easy to experiment and technically implement to a certain extent.
In our protocol, the participant's messages to be encrypted are classical binary data that can be represented by exploiting horizontal and vertical polarization. Vertically polarized photon |1> means 1, horizontally polarized photon |0> means 0. All photons are encrypted using QOTP before being transmitted. Note that if the encrypted message is classic, QOTP can be used to generate a fully secure ciphertext.
Suppose there are N participants (P1, P2, ..., Pn), each of which holds a secret message Ii (i = 1, 2, ..., N) of length m known only to them. They can calculate the sum of Ii with the help of the server and the trusted key center, and the communication model between them and the TP is shown in the figure above. To prevent calculation overflow, a safety parameter K is required, where K = [log2(N)] + 2. In the figure below, we show the flow chart of this scenario.
- The key center randomly generates N keys with a length of 2m, and uses a secure key distribution protocol (such as the BB84 protocol) to Keyi 0 Key^0_iKeyi0Sent to participant Pi.
- If the participant’s secret information I i I_iIiThe number is positive or zero, and participants do not have to do anything with their 0-1 codes. Otherwise, they convert the 0-1 code to 2's complement. They then prepared a sequence of photons ∣ ψ 1 i . . . ∣ ψ M i |\psi^i_1\rangle...|\psi^i_M\rangle∣ψ1i⟩...∣ψMi〉 Based on their 0-1 encoding, ifB inji = 1 Bin^i_j=1Binji=1,则∣ ψ ji ⟩ = ∣ 1 ⟩ |\psi^i_j\rangle=|1\rangle∣ψji⟩=∣1 ⟩ ;B inji = 0 Bin^i_j=0Binji=0,则∣ ψ ji ⟩ = ∣ 0 ⟩ |\psi^i_j\rangle=|0\rangle∣ψji⟩=∣0 . _ Then useKeyi 0 Key^0_iKeyi0Encrypt the photon sequence and obtain ∣ Ψ 1 i . . . ∣ Ψ M i |\Psi^i_1\rangle...|\Psi^i_M\rangle based on QOTP∣Ψ1i⟩...∣ΨMi⟩= X a 1 ( 0 ) Z b 1 ( 0 ) ∣ ψ 1 i ⟩ . . . X a M + L ( 0 ) Z b M + L ( 0 ) ∣ ψ M i ⟩ X^{a_1(0)}Z^{b_1(0)}|\psi^i_1\rangle...X^{a_{M+L}(0)}Z^{b_{M+L}(0)}|\psi^i_M\rangle Xa1(0)Zb1(0)∣ψ1i⟩...XaM+L(0)ZbM+L(0)∣ψMi . _ Finally, the key center adds 2K zero keys based on the security parameter k.
Participants add k photons with length |0> before the photon sequence, then the new photon sequence is∣ 0 1 ⟩ . . . ∣ 0 k ⟩ ∣ Ψ 1 i ⟩ . . . ∣ Ψ M i ⟩ |0_1\rangle ...|0_k\rangle|\Psi^i_1\rangle...|\Psi^i_M\rangle∣01⟩...∣0k⟩∣Ψ1i⟩...∣ΨMi⟩ .Participants with negative information add k length |1 > photons before the photon sequence, and the new photon sequence is∣ 1 1 ⟩ . . . ∣ 1 k ⟩ ∣ Ψ 1 i ⟩ . . . ∣ Ψ M i ⟩ | 1_1\rangle...|1_k\rangle|\Psi^i_1\rangle...|\Psi^i_M\rangle∣11⟩...∣1k⟩∣Ψ1i⟩...∣ΨMi⟩。 - In order to prevent eavesdropping, participants prepare Di decoy photons and randomly insert them into their own photon sequence. Each photon is selected from {|0 >, |1 >, |+ >, |−>}, and The new photon sequence is sent to the server.
- Once the server obtains their photon sequence, the participants announce the position of the inserted decoy photon P oi Po^iP oisum base B ai base Ba^ithey are in B ai . If the inserted bait is |0> or |1>, the measurement base is {|0>, |1>}; if the inserted bait is |+> or |−>, the measurement base is |+> or |−>. The server calculates the accuracy based on the measurement results. If the accuracy is lower than a preset threshold, it indicates the presence of an eavesdropper and terminates the protocol. Otherwise, the server discards these decoy photons and proceeds to the next step.
- The server builds a quantum full adder circuit with each participant's sequence of photons as input to the circuit. In the evaluation operation, the key center updates the key according to the quantum gate and the quantum gate's key update algorithm executed by the server. After the server completes executing all quantum gates in the quantum circuit, the key center obtains the final updated Keyifinal Key^{final}_iKeyifinal, which is the decryption key. The server sends the calculation result to the key center.
- The key center uses the decryption key to decrypt and measure all photons in the photon sequence, and then releases the measurement results to all participants. Participants then compute the sequence of bits to get the sum of their secret messages.
In step 5, in the homomorphic evaluation algorithm, when the server performs the Clifford gate operation on the ciphertext, according to the exchange rules between the Clifford gate and the Pauli matrix, a new Intermediate key. Assume that the i-th Clifford gate operation performed by the server is defined as Gi, acting on the photon sequence G i \psi\rangleGiXak(j)Zbk( j ) ∣ψ The kth one, (if Gi = CNOT, the input qubits are k and l respectively, thenGi ) Z bl ( j ) ∣ ψ G_iX^{a_k(j)}Z^{b_k(j)}|\psi\rangle\otimes G_iX^{a_l(j)}Z^{b_l(j)}|\ psi\rangleGiXak(j)Zbk(j)∣ψ⟩⊗GiXal(j)Zbl( j ) ∣ψ ,where Gi∈{X, Y, Z, H, T, S, CNOT}, ak(j), bk(j) is the (j+1)-intermediate key. For the operation Gi and the key update algorithm, the calculation process of the j+1th intermediate key is as follows:
any arbitrary unitary operator can be composed of H, S, CNOT and T gates, and the client needs the T gate key update in order to Perform any unitary operation on the server. But when t-gates act on encrypted qubits, s-errors occur.